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MOTIVATION 

The  early  work  in  program  synthesis  relied  strongly  on  mechanical  theorem-proving 
techniques.  The  work  of  Green  [1969]  and  Waldinger  and  Lee  [1969],  for  example, 
depended  on  resolution-based  theorem-proving;  however,  the  difficulty  of  representing  the 
principle  of  mathematical  induction  in  a resolution  framework  hampered  these  systems  in 
the  formation  of  programs  with  iterative  or  recursive  loops.  More  recently,  program 
synthesis  and  theorem  proving  have  tended  to  go  their  separate  ways.  Newer  theorem 
proving  systems  are  able  to  perform  proofs  by  mathematical  induction  ( e.g .,  Boyer  and 
Moore  [1976]),  but  are  useless  for  program  synthesis  because  they  have  sacrificed  the 
ability  to  prove  theorems  involving  existential  quantifiers.  Recent  work  in  program 
synthesis  (e.g.,  Burstall  and  Darlington  [1977]  and  Manna  and  Waldinger  [1977]),  on  the 


other  hand,  has  abandoned  the  theorem-proving  approach,  and  has  relied  instead  on  the 
direct  application  of  transformation  or  rewriting  rules  to  the  program's  specifications;  in 
choosing  this  path,  these  systems  have  renounced  the  use  of  such  theorem-proving 
techniques  as  unification  or  induction. 


In  this  paper,  we  describe  a framework  for  program  synthesis  that  again  relies  on  a 
theorem-proving  approach.  This  approach  combines  techniques  of  unification,  mathematical 
induction,  and  transformation  rules  within  a single  deductive  system.  We  will  outline  the 
logical  structure  of  this  system  without  considering  the  strategic  aspects  of  how 
deductions  are  directed.  Although  no  implementation  exists,  the  approach  Is  machine- 
oriented  and  ultimately  intended  for  implementation  in  automatic  synthesis  systems. 


In  the  next  section,  we  will  give  examples  of  specifications  accepted  by  the  system. 
In  the  succeeding  sections,  we  explain  the  relation  between  theorem  proving  and  our 
approach  to  program  synthesis. 
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SPECIFICATION 


The  specification  of  a program  allows  us  to  express  the  purpose  of  the  desired  program, 
without  indicating  an  algorithm  by  which  that  purpose  is  to  be  achieved.  Specifications 
may  contain  high-level  constructs  that  are  not  computable,  but  are  close  to  our  way  of 
thinking.  Typically,  specifications  involve  such  constructs  as  the  quantifiers  for  all  ...  and 
for  some...,  the  set  constructor  {x;  ...},  and  the  descriptor  find  z such  that.  . . . 


For  example,  to  specify  a program  to  compute  the  integer  square-root  of  a nonnegative 
integer  n,  we  would  write 


sqrtin)  <■  find  z such  that 

inttger(z)  and  z2  i n < (z+l)' 
when  integerin)  and  Osn, 


Here,  the  input  condition 


integerin)  and  0 s n 


expresses  the  class  of  legal  inputs  to  which  the  program  is  expected  to  apply.  The  output 

condition 


integer(z)  and  z2  i n < (z+1)2 


describes  the  relation  the  output  z is  intended  to  satisfy. 


To  describe  a program  to  sort  a list  /,  we  might  write 


sortQ)  <■  find  z such  that 

orderediz)  and  permit,  z) 
where  islistil). 


Here,  ordered(z)  expresses  that  the  elements  of  the  output  list  z should  be  in 
nondecreasing  order;  permit,  z)  expresses  that  z should  be  a permutation  of  the  Input  l\ 
and  Islistil)  expresses  that  l can  be  assumed  to  be  a list. 


Finally,  to  describe  a program  to  find  the  last  element  of  a nonempty  list  /,  we  might 


lastil)  <■  find  z such  that 

for  some  y,  l ■ ><>[*] 
where  Islistil)  and  l * []. 
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Here,  uov  denotes  the  result  of  appending  the  two  lists  u and  v;  [u]  denotes  the  list 
whose  sole  element  Is  u;  end  []  denotes  the  empty  list.  (Thus,  [A  B C]<>[D]  yields 
[ABC  D];  therefore,  by  the  above  specification,  /ast([  A B C D])  ■ D.) 

In  general,  we  are  considering  the  synthesis  of  programs  whose  specifications  have  the 
form 


J[a)  <■  find  z such  that  R(a,  z) 
where  P(a). 

Thus,  in  this  paper  we  limit  our  discussion  to  the  synthesis  of  applicative  programs,  which 
yield  an  output  but  produce  no  side  effects.  To  derive  a program  from  such  a 
specification,  we  attempt  to  prove  a theorem  of  the  form 

for  all  a, 
if  P(,a) 

then  for  some  z,  R(a,  z). 

The  proof  of  this  theorem  must  be  constructive,  in  the  sense  that  it  must  tell  us  how  to 
find  an  output  z satisfying  the  desired  output  condition.  From  such  a proof,  a program  to 
compute  z can  be  extracted. 
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BASIC  STRUCTURE 

The  basic  structure  employed  in  our  approach  is  the  sequent,  which  consists  of  two  lists 

of  sentences,  the  assertions  A,,  A2 Am,  and  the  goals  G,,  G2 G„.  With  each 

assertion  or  goal  there  may  be  associated  an  entry  called  the  output  expression.  This  output 
entry  has  no  bearing  on  the  proof  itself,  but  records  the  program  segment  that  has  been 
constructed  at  each  stage  of  the  derivation  (cf.  the  "answer  literal"  in  Green  [1969]). 
We  will  denote  a sequent  by  a table  with  three  columns:  assertions,  goals,  and  output. 
Each  row  in  the  sequent  has  the  form 


assertions 

goals 

output 

A, (a,  x) 

t,(a,  x) 

or 


The  meaning  of  a sequent  is  that  if  all  instances  of  each  of  the  assertions  are  true, 
then  some  instance  of  at  least  one  of  the  goals  is  true;  more  precisely,  the  sequent  has 
the  same  meaning  as  its  associated  sentence 

if  for  all  x,  A\(a,  x)  and 
for  all  x,  A2{a,  x)  and 


for  all  x,  An(a,  x) 
then  for  some  x,  Gj(a,  x)  or 
for  some  x,  G2(a,  x)  or 


for  some  x,  Gn(a,  x) 

where  a denotes  all  the  constants  of  the  sequent  and  x denotes  all  the  free  variables.  (In 
general,  we  will  denote  constants  or  tuples  of  constants  by  a,  b,  c,  ....  n and  variables 
or  tuples  of  variables  by  u,  v,  to z.)  If  some  instance  of  a goal  Is  true  [or  some 
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instance  of  an  assertion  is  false],  the  corresponding  Instance  of  its  output  expression 
satisfies  the  given  specification.  In  other  words,  if  some  instance  G;(a,  e)  is  true  [or  some 
instance  A, (a,  e)  is  false],  then  the  corresponding  instance  tfa,  e)  [or  t,{a,  *)]  satisfies  the 
specification. 

Note  that:  (1)  an  assertion  or  goal  is  not  required  to  have  an  output  entry;  (2)  an 
assertion  and  a goal  never  occupy  the  same  row  of  the  sequent;  (3)  the  variables  in  each 
row  are  "dummys,"  that  we  can  systematically  rename  without  changing  the  meaning  of  the 
sequent. 

The  distinction  between  assertions  and  goals  is  artificial,  and  does  not  increase  the 
logical  power  of  the  deductive  system.  In  fact,  if  we  delete  a goal  from  a sequent,  and 
add  its  negation  as  a new  assertion,  we  obtain  an  equivalent  sequent;  similarly,  we  can 
delete  an  assertion  from  a sequent,  and  add  its  negation  as  a new  goal,  without  changing 
the  meaning  of  the  sequent.  This  property  is  known  as  duality.  Nevertheless,  the 
distinction  between  assertions  and  goals  makes  our  deductions  easier  to  understand. 

If  initially  we  are  given  the  specification 

/{a)  <•  find  z such  that  R(a,  z) 
where  P(a), 

we  construct  the  initial  sequent 


Assertions 

Goals 

Output 

P(a) 

R(a,  z) 

z 

In  other  words,  we  assume  that  the  input  condition  P(a)  Is  true,  and  we  want  to  prove  that 
for  some  z,  the  goal  R(a,  z)  Is  true;  If  so,  i represents  the  desited  output.  Quantifiers  have 
been  removed  by  the  usual  skolemization  procedure  (see,  e.g.,  Nilsson  [1971]).  The 
output  z is  a variable,  lor  which  we  can  make  substitutions;  the  input  a is  a constant. 

The  Input  condition  P(a ) is  not  the  only  assertion  in  the  sequent;  typically,  simple,  basic 
axioms,  such  as  u • u,  are  represented  as  assertions  that  are  tacitly  present  in  all 
sequents.  Many  properties  of  the  subject  domain,  however,  are  represented  by  other 
means,  as  we  shall  see. 
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The  deductive  system  we  describe  operates  by  causing  new  assertions  and  goals,  and 
corresponding  new  output  expressions,  to  be  added  to  the  sequent  without  changing  its 
meaning.  The  process  terminates  if  the  goal  true  (or  the  assertion  false)  is  produced, 
whose  corresponding  output  expression  consists  entirely  of  primitives  from  the  target 
programming  language;  this  expression  is  the  desired  program.  In  other  words,  if  we 
develop  a row  of  form 


I 


where  t is  a primitive  expression,  the  desired  program  is  of  form 
f{a)  <■  t. 

Note  that  this  deductive  procedure  never  requires  us  to  establish  new  sequents  or 
(except  for  strategic  purposes)  to  delete  an  existing  assertion  or  goal.  In  this  sense,  the 
approach  more  resembles  resolution  than  "natural  deduction." 

In  the  remainder  of  this  paper  we  outline  the  deductive  rules  of  our  system,  and  we 
present  two  complete  examples  illustrating  the  application  of  the  system  to  program 
synthesis. 

I - 1 1 SB  ■ I i m I . 


...  3*  . v'“  • » .-  ' 'V' 


and  the  if  split  rule 


Note  that  the  output  entries  for  the  consequents  of  the  splitting  rules  are  exactly  the 
same  as  the  entries  for  their  antecedents. 


assertions 


goals 


output 


if  F then  G 


SPLITTING  RULES 

The  splitting  rules  allow  us  to  decompose  an  assertion  or  goal  into  Its  logical 
components.  For  example,  if  our  sequent  contains  an  assertion  of  form  F and  G,  we  can 
introduce  the  two  assertions  F and  G into  the  sequent  without  changing  its  meaning.  We 
will  call  this  the  andsplit  rule  and  express  it  in  the  following  notation: 

the  andsplit  rule 


assertions 

goals 

output 

F and  G 

t 

F 

t 

G 

t 

Similarly,  we  have  the  orsplit  rule 


assertions 


goals 
F or  G 


output 


assertions 


output 


F or  C 
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Although  initially  only  the  goal  has  an  output  entry,  the  ifsplit  rule  can  introduce  an 
assertion  with  an  output  entry.  Such  assertions  are  rare  in  practice,  but  can  arise  by  the 
action  of  such  rules. 
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TRANSFORMATION  RULES 

Transformation  rules  allow  one  assertion  or  goal  to  be  derived  from  another.  Typically, 
transformations  are  expressed  as  conditional  rewriting  rules 

r =»  s if  P 

meaning  that  In  any  assertion,  goal,  or  output  expression,  a subexpression  of  form  r can  be 
replaced  by  the  corresponding  expression  of  form  s,  provided  that  the  condition  P holds. 
We  never  write  such  a rule  unless  r and  s are  equal  terms  or  equivalent  sentences, 
whenever  condition  P holds.  For  example,  the  transformation  rule 

u € v =»  u = head{ v)  or  u t tail{v)  if  islist{v ) and  v * [] 

expresses  that  an  element  belongs  to  a nonempty  list  if  It  equals  the  head  of  the  list  or 
belongs  to  its  tail.  (Here,  head(v ) denotes  the  first  element  of  the  list  v,  and  tail(v)  denotes 
the  list  of  all  but  the  first  element.)  The  rule 

u|0  z*  true  if  integer(u)  and  u * 0 

expresses  that  every  nonzero  integer  divides  zero. 

If  a rule  has  the  vacuous  condition  true,  we  write  it  with  no  condition;  for  example,  the 
logical  rule 

{?  and  true  =>  Q 

may  be  applied  to  any  subexpression  that  matches  Its  left-hand  side. 

A transformation  rule 
r=>  s ifP 

is  not  permitted  to  replace  an  expression  of  form  s by  the  corresponding  expression  of 
form  r when  the  condition  P holds,  even  though  these  two  expressions  have  the  same 
values.  For  that  purpose,  we  would  require  a second  rule 


s =*  r if  P. 


For  example,  we  might  include  the  rule 
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x * 0 *=>  x if  number(x) 
but  not  the  rule 

x =>  x + 0 if  n umber(x). 

Assertions  and  goals  are  affected  differently  by  transformation  rules.  Suppose 
r =>  s if  P 

Is  a transformation  rule  and  F(r')  is  an  assertion  such  that  Its  subexpression  r'  is  not 
within  the  scope  of  any  quantifier.  Suppose  also  that  there  exists  a unifier  for  r and  r', 
i.e.,  a substitution  6 such  that  rO  and  r'Q  are  identical.  Here,  r6  denotes  the  result  of 
applying  the  substitution  6 to  the  expression  r.  We  can  assume  that  0 is  a "most  general" 
unifier  (in  the  sense  of  Robinson  [1065])  of  r and  r',  (We  rename  the  variables  of  F(r'),  if 
necessary,  to  insure  that  It  has  no  variables  in  common  with  the  transformation  rule.)  By 
the  rule,  we  can  conclude  that  if  Pd  holds,  then  rd  and  sd  are  equal  terms  or  equivalent 
sentences.  Therefore,  we  can  add  the  assertion 

if  Pd  then  F(s)0 

to  our  sequent. 

For  example,  suppose  we  have  the  assertion 
a ( l and  a « 0 

and  we  apply  the  transformation  rule 

uiv  =»  u * head(v)  or  ut  tail(v)  if  isllst(v)  and  v * [], 

taking  r'  to  be  a ( / and  6 to  be  the  substitution  [ u •»  a;  v - l ];  then  we  obtain  the  new 
assertion 

if  islist(l)  and  / k [] 

then  (a  - head(t)  or  a i tail(l))  and  a « 0. 

Note  that  a and  / are  constants,  while  u and  v are  variables,  and  indeed,  the  substitution 
was  made  for  the  variables  of  the  rule  but  not  for  the  constants  of  the  assertion. 

In  general,  if  the  given  assertion  F(r ')  has  an  associated  output  entry  t,  the  new  output 
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entry  is  formed  by  applying  the  substitution  0 to  t.  For,  suppose  some  instance  of  the  new 
assertion  "if  Pd  then  F(s)d"  is  false;  then  the  corresponding  Instance  of  PO  is  true,  and  the 
corresponding  instance  of  F(s)d  Is  false.  Recall  that  F(r)0  and  F(r')d  are  identical.  Then, 
by  the  transformation  rule,  the  corresponding  instance  of  F(r)0,  i.e.  of  F{r')d,  is  false.  We 
know  that  if  any  instance  of  F(r')  is  false,  the  corresponding  instance  of  ( satisfies  the 
given  specification.  Hence,  becauso  some  instance  of  F(r')d  is  false,  the  corresponding 
instance  of  (6  is  the  desired  output. 

In  our  deduction  rule  notation,  we  write 


(Transformation  rules  can  also  be  applied  to  output  entries  in  an  analogous  manner.) 
For  example,  suppose  we  have  the  goal 


and  we  apply  the  transformation  rule 

u|0  =>  true  If  integeiiu)  and  u « 0, 

taking  r'  to  be  a|z  and  6 to  be  the  substitution  [ z 0;  u a ].  Then  we  obtain  the  goal 


!* 


.'.’■fclmiiiaaf  #-'iir.S>nrr , 


Note  that  applying  the  transformation  rule  caused  a substitution  to  be  made  for  the 
occurrences  of  the  variable  z in  the  goal  and  the  output  entry. 

Transformation  rules  need  not  be  simple  rewriting  rules;  they  may  represent  arbitrary 
procedures.  For  example,  r could  be  an  equation /(x)  ■ a,  s could  be  its  solution  x - t,  and 
P could  be  the  condition  under  which  that  solution  applies.  In  general,  efficient  procedures 
for  particular  subtheories  may  be  represented  as  transformation  rules  (see,  e.g. , Bledsoe 
[1977]  or  Nelson  and  Oppen  [1978].) 

Transformation  rules  play  the  role  of  the  "antecedent  theorems"  and  "consequent 
theorems"  of  PLANNER  (Hewitt  [1971]).  For  example,  a consequent  theorem  that  we  might 
write  as 

to  prove  flu)  - flv) 
prove  u - v 

can  be  represented  by  the  transformation  rule 


flu)  - flv)  =*  true  If  u - v . 


This  rule  will  have  the  desired  effect  of  reducing  the  goal  /(a)  • flb)  to  the  simpler  subgoal 
a - b,  and  (like  the  consequent  theorem)  will  not  have  the  pernicious  side  effect  of 


i 
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deriving  from  the  simple  assertion  a - b the  more  complex  assertion  f[a)  - flb).  The 
axiomatic  representation  of  the  same  fact  would  have  both  results.  (Incidentally,  the 
transformation  rule  has  the  beneficial  effect,  not  shared  by  the  consequent  theorem,  of 
deriving  from  the  complex  assertion  notifla)  - flb))  the  simpler  assertion  not(a  - b).) 
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, RESOLUTION 

The  original  resolution  principle  (Robinson  [1066])  applied  only  to  a sentence  in 
conjunctive  normal  form.  However,  the  ability  to  deal  with  sentences  not  In  this  form  is 
essential  if  resolution  and  mathematical  Induction  are  to  coexist  happily  within  the  same 
framework.  The  version  of  resolution  we  employ  does  not  require  the  sentences  to  be  in 
conjunctive  normal  form. 

Assume  our  sequent  contains  two  assertions  of  form  F(Pt)  and  C(P2),  where  Pt  and  P2 
are  subsentences  of  these  assertions  not  within  the  scope  of  any  quantifier.  For  the  time 
being,  let  us  ignore  the  output  expressions  corresponding  to  these  assertions.  Suppose 
there  exists  a unifier  for  Pt  and  P2,  i.e.,  a substitution  6 such  that  Pfi  and  P2&  are 
identical.  We  can  take  6 to  be  the  most  general  unifier.  The  AA-rtsolution  rule  allows  us 
to  deduce  the  new  assertion 


F{true)6  or  G{false)6, 


and  add  it  to  the  sequent.  (Here,  F(true)  denotes  the  result  of  replacing  Pt  by  true  In 
F(P |).  Of  course,  we  may  need  to  do  the  usual  renaming  to  ensure  that  F(Pt)  and  C{P2) 
have  no  variables  in  common.)  We  will  call  6 the  unifying  substitution  and  Ps6  ^Pjd)  the 
eliminated  subexpression ; the  deduced  assertion  is  called  the  resolvent.  Note  that  the  rule  Is 
symmetric,  so  the  roles  of  F(Pt)  and  G(P2)  may  be  reversed. 


For  example,  suppose  our  sequent  contains  the  assertions 


The  two  subsentences  "Pix)  and  Q(6)"  and  ”P(a)  and  Qt^)"  can  be  unified  by  the 
substitution 


Therefore,  the  AA-resolution  rule  allows  us  to  eliminate  the  subexpression  nP(a)  and  Qt^bY 
and  derive  the  conclusion 


which  reduces  to 
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R(a) 

by  application  of  the  appropriate  transformation  rules. 

The  conventional  resolution  rule  may  be  regarded  aa  a special  case  of  the  above  AA- 
resolution  rule.  The  conventional  rule  allows  us  to  derive  from  the  two  assertions 

(not  P \)  or  (l 

and 

P2  or  R 

the  new  assertion 


THE  RESOLUTION  RULES 

We  have  defined  the  AA-resolution  rule  to  derive  conclusions  from  assertions: 
the  AA-resolution  rule 


assertions 

goals 

F(P\) 

C(P2) 

F(true)6  or  G(false)d 

where  P - P 20,  and  6 is  most  general. 

By  duality,  we  can  regard  goals  as  negated  assertions;  consequently,  the  following 
three  rules  are  corollaries  of  the  AA-resolution  rule: 

the  GG-resolution  rule 


assertions 

goals 

F(P\) 

C(P2) 

F(true)0  and  G(false)6 

the  GA-resolution  rule 


assertions 

goals 

C(P2) 

F(P\) 

F(true)6  and  (not  G(false)6) 


MtOm 


17 


the  AG-resolution  ru.lt 


assertions 

goals 

F(P ,) 

C(P2) 

| ( not  F(true)d)  and  G(false)d 

where  P,,  P2,  and  6 satisfy  the  same  condition  as  lor  the  AA-reso!ution  rule. 

Up  to  now,  we  have  ignored  the  output  expressions  of  the  assertions  and  goals. 
However,  if  at  least  one  of  the  sentences  to  which  a resolution  rule  is  applied  has  a 
corresponding  output  expression,  the  resolvent  will  also  have  an  output  expression.  If 
only  one  of  the  sentences  has  an  output  expression,  eay  t,  then  the  resolvent  will  have 
the  output  expression  td.  On  the  other  hand,  it  the  two  sentences  F(P,)  and  G{P2)  have 
output  expressions  t 1 and  t2,  respectively,  the  resolvent  will  have  the  output  expression 


if  P ,6  then  t ,6  else  t2d. 

The  justification  for  constructing  this  conditional  as  an  output  expression  is  as  follows; 
we  consider  only  the  GG  case:  Suppose  the  goal 

F(true)0  and  G(false)6 

has  been  obtained  by  GG-resolution  from  two  goals  F(P,)  and  G{P2).  We  would  like  to 
show  that  if  this  goal  is  true,  the  conditional  output  expression  satisfies  the  desired 
specification.  We  assume  that  the  resolvent  is  true;  therefore  both  F(true)6  and  G{false)6 
are  true.  In  the  case  that  P,6  is  true,  we  have  that  F(P,)6  Is  Identical  to  F(,true)6,  and 
therefore  Is  true.  Consequently,  the  corresponding  instance  t,0  of  the  output  expression  t, 
satisfies  the  specification  of  the  desired  program.  In  the  other  case,  in  which  P ,6  is  false, 
Pjd  is  false,  and  the  same  reasoning  allows  us  to  conclude  that  t $ satisfies  the 
specification  of  the  desired  program.  In  either  case,  we  can  conclude  that  the  conditional 

if  P \Q  then  t,6  else  t$ 

satisfies  the  desired  specification.  By  duality,  the  earns  output  expression  can  be  derived 
for  AA-resolutlon,  GA-resolutlon,  and  AG-reaolutlon. 
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For  example,  let  u-v  denote  the  operation  of  Inserting  u before  the  first  element  of  the 
list  v,  and  supposo  we  have  the  goal 


assertions 

goals 

output 

head(z)  * a and  tail(z)  « b 

z 

and  we  have  the  assertion 


head(u.‘v)  ■ u 


with  no  output  expression;  then  by  GA-resolution,  applying  the  substitution 
0 = [ u - a;  z - a-v  ] 
and  eliminating  the  subsentence 
head(a'V)  * a, 
we  obtain  the  new  goal 


( true  and  tail(a>t>)  - b)  and 

a»v 

(nor  false) 

which  can  be  reduced  to 


taiKa'v)  • b 


a-v 


by  application  of  the  appropriate  transformation  rules.  Note  that  we  have  applied  the 
substitution  [ u *•  a;  z - a>v  ] to  the  original  output  expression  z,  obtaining  the  new  output 
expression  a*w.  Therefore,  if  we  can  find  v such  that  tail(a‘v)  • b,  the  corresponding 
Instance  of  a*v  will  satisfy  the  desired  specification. 

Another  example;  suppose  we  have  derived  the  two  goals 
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max{tail(l))  i headU) 

max(tail(l)) 

and  tail(l)  * [] 

not{  max(tail(l))  i head(l)  ) 

head(l) 

and  tail(l)  * [] 

Then  by  GG-resolution,  eliminating  the  subsentence  max(tail(l ))  i dead(l),  we  can  derive  the 
new  goal 
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THE  POLARITY  STRATEGY 

Not  all  applications  of  the  resolution  rules  will  produce  valuable  conclusions.  For 
example,  suppose  we  are  given  the  goal 

goals 

Pic,  x)  and  Q(,x,  a) 

and  the  assertion 

assertions 

if  P(y,  d)  then  Qjib,  y) 

Then  if  wo  apply  GA-resolution,  eliminating  Q(6,  a),  we  can  obtain  the  resolvent 
{Pic,  b ) and  true ) and  notiif  P(a,  d)  then  false), 
which  reduces  to  the  goal 

P(c,  b)  and  P(a,  d) 

However,  we  con  also  apply  GA-resolution  and  eliminate  P{c,  d),  yielding  the  resolvent 
( true  and  Qt,d,  a))  and  notiif  false  then  Qf,b,  ()), 
which  reduces  to  the  trivial  goal 

false 

Finally,  we  can  also  apply  AG-reaolutir  . to  the  aame  assertion  and  goal  in  two  different 
ways,  eliminating  P(c,  d)  and  eliminating  Q(*.  a);  both  of  theae  applications  lead  to  the  same 
trivial  goal  false. 
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A polarity  strategy  adapted  from  Murray  [1978]  restricts  the  resolution  rules  to  prevent 
many  such  fruitless  applications. 

We  first  assign  a polarity  (either  positive  (♦)  or  negative  (-)  or  both)  to  every 
subsentence  of  a given  sequent,  as  follows; 


• each  goal  is  positive 


• each  assertion  is  negative 

• if  a subsentence  5 has  form  " not  a ",  then  its  component  a has  polarity  opposite  to  5 

\ 


® i fa  subsentence  5 has  form  "a  and  /S,"  "a  or  5",  "for  all  x,  a",  or  "for  some  x,  then  its 
components  a and  (3  have  the  same  polarity  as  S 

® if  a subsentence  5 has  form  “if  a then  (3",  then  |5  has  the  same  polarity  as  S,  but  a has 
the  opposite  polarity. 


F:or  example,  the  above  goal  and  assertion  are  annotated  with  the  polarity  of  each 
subsentence,  as  follows: 


assertions 


goals 


(if  P(y,  rf)+  then  Q (b,y)~r 


output 


(Pic,  x)+  and  Q(x,a)+)+ 


i 


The  four  resolution  rules  we  have  presented  replace  certain  subsentences  by  true,  and 
others  by  false.  The  polarity  strategy,  thon,  permits  a subsentence  to  be  replaced  by  true 
only  if  it  has  at  toast  one  positive  occurrence,  and  by  false  only  if  has  at  least  one 
negative  occurrence.  For  example,  we  are  permitted  to  apply  GA-resolution  to  the  above 
goal  and  assertion,  eliminating  Q(b,  a),  because  Q(x,  a),  which  is  replaced  by  true,  occurs 
positively  in  the  goal,  and  Q(6,  ji),  which  is  replaced  by  false,  occurs  negatively  In  the 
assertion.  On  the  other  hand,  we  are  not  permitted  to  apply  GA-resolution  to  eliminate 
P(c,  d),  because  P(y,  d),  which  is  replaced  by  false,  only  occurs  positively  in  the  assertion. 
Similarly,  we  are  not  permitted  to  apply  AG-resolution  between  this  assertion  and  goal, 
whether  we  eliminate  P(c,  d)  or  Qfb,  a).  Indeed,  the  only  application  of  resolution  permitted 
by  the  polarity  strategy  is  the  one  that  led  to  a nontrivial  conclusion. 


"'4 
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r \ . 

* 

The  deductive  system  we  have  presented  so  tar,  including  the  splitting  rules,  the 
resolution  rules,  and  an  appropriate  set  of  logical  transformation  rules,  constitutes  a 
complete  system  for  first-order  logic,  in  the  sense  that  a derivation  exists  for  every  valid 
sentence.  (Actually,  only  the  resolution  rules  and  some  of  the  logical  transformation  rules 
ore  strictly  necessary.)  The  above  polarity  strategy  does  not  interfere  with  the 
completeness  of  the  system. 


i 
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MATHEMATICAL  INDUCTION  AND  THE  FORMATION  OF  RECURSIVE  CALLS 

Mathematical  induction  is  of  special  importance  for  deductive  systems  intended  for 
program  synthesis,  because  it  is  only  by  the  application  of  some  form  of  the  induction 
principle  that  recursive  calls  or  iterative  loops  are  introduced  Into  the  program  being 
constructed.  The  Induction  rule  we  employ  is  a version  of  the  principle  of  mathematical 
induction  over  a well-founded  set,  known  in  the  computer  science  literature  as  "structural 
induction." 

We  may  describe  this  principle  as  follows:  In  attempting  to  prove  that  a sentence  of 
form  F(a)  holds  for  every  element  a of  some  well-founded  set,  we  may  assume  inductively 
that  the  sentence  holds  for  all  u that  are  strictly  less  than  a in  the  well-founded  ordering 
<.  Thus,  in  trying  to  prove  F(a),  the  well-founded  induction  principle  allows  us  to  assume 
the  induction  hypothesis 

for  all  u,  if  u < a then  F(u). 

In  the  case  that  the  well-founded  set  Is  the  nonnegative  integers  under  the  usual  < 
ordering,  well-founded  induction  reduces  to  the  familiar  complete  induction  principle:  to 
prove  that  F(n)  holds  for  every  nonnegative  integer  n,  we  may  assume  inductively  that 
the  sentence  F(u)  holds  for  all  nonnegative  Integers  u such  that  u < n. 

In  our  inference  system,  the  principle  of  well-founded  induction  is  represented  as  a 
deduction  rule  (rather  than,  say,  an  axiom  schema).  We  present  only  a special  case  of 
this  rule  here. 

Suppose  we  are  constructing  a program  whose  specification  is  of  form 

f[a)  <5  find  z such  that 

for  some  y,  R(a,  y,  z) 
where  P(a). 

Then  our  initial  sequent  is 


assertions 


PM 


goals 


output 


P(a,  y,  z) 
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Then  we  con  always  add  to  our  sequent  a new  assertion,  the  induction  hypothesis 


if  u < a 
then  if  P(u) 

then  R(u,  g(u),  flu)) 


Here,  / denotes  the  program  we  are  trying  to  construct,  and  g is  a new  Skolem  function 
corresponding  to  the  variable  y.  The  well-founded  set  and  the  particular  well-founded 
ordering  < to  be  employed  in  the  proof  have  not  yet  been  determined. 

Let  us  paraphrase:  We  are  attempting  to  construct  a program  / such  that,  for  an 
arbitrary  input  a satisfying  the  input  condition  P(a),  the  output  fla)  will  satisfy  the  output 
condition  R{a,  y,  fla)),  for  some  y,  or,  equivalently,  R(a,  g(a),  fla)).  By  the  well-founded 
induction  principle,  we  can  assume  inductively  that  for  every  u less  than  a in  some  well- 
founded  ordering  such  that  the  input  condition  P(u)  holds,  the  output  flu)  tv.li  satisfy  the 
same  output  condition  R(u,  g(u),  flu)). 

In  general,  wo  could  introduce  an  induction  hypothesis  corresponding  to  any  subset  of 
the  assertions  or  goals  in  our  sequent,  not  just  the  initial  assertion  and  goal;  most  of  these 
induction  hypotheses  would  not  be  relevant  to  the  final  proof,  and  the  proliferation  of  new 
assertions  would  obstruct  our  efforts  to  find  a proof.  Therefore,  we  employ  the  following 
recurrence  strategy  for  determining  when  to  introduce  an  induction  hypothesis. 

Let  us  restrict  our  attention  to  the  case  where  the  induction  hypothesis  is  derived  from 
the  initial  assertion  and  goal.  Suppose  that  Q(a,  y,  z)  is  some  subsentonce  of  the  Initial 
goal;  then  that  goal  may  be  written 

«(Q(«,  y,  z». 

Suppose  further  that  at  some  point  in  the  derivation  an  assertion  or  goal  of  form 
S(%t,  y\  z')) 

Is  developed,  where  t is  an  arbitrary  term  and  y'  and  z'  are  distinct  variables.  In  other 
words,  the  newly  developed  assertion  or  goal  has  a subsentence  (H.t,  y',  z')  that  is  a 
precise  instance  of  a subsentence  Q(a,  y,  z)  of  the  initial  goal.  This  recurrence  motivates 
us  to  add  the  Induction  hypothesis 
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if  u < a 
then  if  P(u) 

then  R(#u,  g(u),  f{u))). 

The  rationale  for  introducing  the  induction  hypothesis  at  this  point  Is  that  now  we  can 
perform  resolution  between  the  induction  hypothesis  and  the  newly  developed  assertion  or 
goal  S^f,  y' , z')),  eliminating  the  subexpression  Q(f,  g{t),  f[t)).  In  fact,  we  do  not  need 
to  introduce  the  induction  hypothesis  unless  the  original  subexpression  Q(a,  y,  z)  and  the 
re currrent  subexpression  Q(f,  y' , z')  have  the  same  polarity,  either  both  positive  or  both 
negative.  For  the  subexpression  Q\.u,  g(u),  fu))  in  the  Inductive  assertion  always  has 
polarity  opposite  to  the  subexpression  Q(a,  y,  z)  of  the  initial  goal;  and  the  induction 
hypothesis  cannot  be  resolved  against  the  newly  developed  assertion  or  goal  unless  the 
eliminated  subexpressions  $u,  g(u),  f{u))  and  Qj,t,  y' , z')  have  opposite  polarity,  by  the 
polarity  strategy  for  resolution. 

Let  us  look  at  an  example.  Suppose  we  are  constructing  a program  rim(t,  j)  to  compute 
the  remainder  of  dividing  a nonnegative  integer  i by  a positive  integer  )\  the  specification 
may  be  expressed  as 

rem(i,  j)  <■  find  z such  that 
for  some  y, 

i = yj  + z and  0 s z and  z < j 
where  0 s i and  0 <). 

(Note  that,  for  simplicity,  we  have  omitted  type  requirements  such  as  integer (().)  Our  initial 
sequent  is  then 


assertions 

goals 

outputs 

0 <>  i and  0 < j 

i ■ yj  + z and  0 sz  and  z <J 

X 

Here,  the  inputs  i and  j are  constants,  for  which  we  can  make  no  substitution;  y and  the 
output  z are  variables. 

Assume  that  during  the  course  of  the  derivation  we  develop  the  goal 


l-J  * y{-j  + z and  0 i z and  t <j  z 
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1 his  goal  is  a precise  instance  of  the  initial  goal 
i = yj  + z and  0 < z and  z <j 

obtained  by  replacing  i by  i-j.  Therefore,  taking  Qji,j,y,z ) to  be  the  initial  goal  itself,  we 
add  as  a new  assertion  the  induction  hypothesis 


if  (ui%u2)  < (i,  j) 
then  i/O  < U|  and  0 < u2 

then  U|  » g(u  |,  u2)'u2  + rem(ut,  u2) 

and  0 < rem(u )t  u2)  and  rem(ut,  u2)  < u2 


Here,  g is  a new  Skolem  function  corresponding  to  the  variable  y,  and  < is  on  arbitrary  well- 
founded  ordering.  Note  that  < is  to  be  defined  on  pairs  because  the  desired  program  / has 
a pair  of  inputs. 

We  can  now  apply  GA-resolution  between  the  goal 


i-j  - yt'j  + z and  0 < z and  z < j z 

and  the  induction  hypothesis;  the  unifying  substitution  0 is 
[ K|  - t-j;  U2  *■  j;  y\  - g(i-j,  j );  z «-  rem(i-j,  j ) ]. 

The  new  goal  is 


true  and 

rtm(i-J,  j ) 

not  (if  (i-j.  j)  <(i,  j) 

then  if  Os  i-j  and  0 <j 

then  false) 

(i-j.  j)<(l,j)and 

remU-j,  J ) 

0 s i-j  and  0 < J 

which  reduces  to 


27 


Note  that  the  recursive  coll  rem(i-j,  j)  has  been  Introduced  into  the  output  entry. 

The  particular  well-founded  ordering  < to  be  employed  in  the  proof  has  not  yet  been 
determined.  To  choose  the  ordering  requires  special  transformation  rules,  which  describe 
known  well-founded  orderings  and  ways  of  combining  them.  In  this  case,  the  ordering  < is 
chosen  to  be  the  < ordering  on  the  first  component  of  the  pairs,  by  application  of  the 
transformation  rule 

(U|,  u2)  <ni  (»|.  vz)  =>  true  if  u,  < vi  and  0 £ ut  and  0 s ig. 

A new  goal 


i-j  < i and  0 < i-j  and  0 £ i and 

rem(i-j,  j) 

(rue  and  0 < i-j  and  0 < j 



is  produced;  this  goal  ultimately  reduces  to 


rem(i-j,  j) 


In  other  words,  in  the  case  that  j £ i,  the  output  rem(i-j,  j)  satisfies  the  desired  program's 
specification. 

In  a later  section  we  will  give  the  full  derivation  of  the  related  program  that  finds  the 
integer  quotient  of  two  integers. 

We  will  not  discuss  here  the  more  general  cose,  where  a newly  developed  assertion  or 
goal  has  a subsentence  that  is  an  instance  of  a subsentence  not  of  the  initial  goal,  but  of 
some  intermediate  goal  or  assertion;  this  situation  accounts  for  the  introduction  of 
"auxiliary  procedures"  to  be  called  by  the  program  under  construction.  We  will  also  not 
discuss  the  case  where  the  new  subsentence  Is  not  a precise  instance  of  the  earlier 
subsentence,  but  where  both  are  instances  of  a somewhat  more  genoral  sentence. 

Some  early  efforts  toward  incorporating  mathematical  Induction  In  a resolution 
framework  were  made  by  J.  L.  Darlington  [1968],  His  system  treated  the  induction 
principle  as  a second-order  axiom  schema  rather  than  as  a deduction  rule;  It  hod  a limited 
ability  to  perform  second-order  unifications. 
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A COMPLETE  EXAMPLE:  Finding  the  Quotient  of  Two  Integer* 

In  this  section,  we  present  a complete  example  that  exploits  most  of  the  features  of 
the  deductive  synthesis  approach.  Our  task  is  to  construct  a program  div(i, ))  tor  finding 
the  integer  quotient  of  dividing  a nonnegative  integer  i by  a positive  integer  J.  Our 
specification  is  expressed  as 

div(i,  j)  <m  find  y such  that 
for  some  z, 

i ■ yj  * z and  0 < z and  z <j 
where  0 s i and  0 < J. 

(For  simplicity,  we  again  omit  type  conditions,  such  as  integer(i),  from  this  discussion).  Our 
initial  sequent  is  therefore 


assertions 

goals 

output 

1.0  si  and  0 < j 

2.  i - yj  * z and  Os  z 
and  z < j 

y 

(Note  that  we  are  enumerating  the  assertions  and  goals.) 

In  presenting  the  derivation  we  will  sometimes  apply  simple  logical  and  algebraic 
transformation  rules  without  mentioning  them  explicitly.  We  assume  that  our  background 
knowledge  includes  the  two  assertions 


3.  u - u 

4.  u s v or  v < u 

Applying  the  andsplit  rule  to  assertion  1 yields  the  new  assertions 


6.0  si 

6.  0 < J 


Assume  we  have  the  following  transformation  rules  that  define  Integer  multiplication: 
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0‘V  =>  0 

(u*  l)*y  =*  u*«  ♦ w. 

Applying  the  first  of  these  rules  to  the  subexpression  y>j  in  goal  2 yields 


7.  i ■ 0 + z and  0 s z and  z < J 


The  unifying  substitution  in  deriving  goal  7 is 
0 = [y  -0;  v -J  ]i 

applying  this  substitution  to  the  output  entry  y produced  the  new  output  0. 
Applying  the  numerical  transformation  rule 


0 ♦ v =>  v 


yields 


8.  i ■ z and  0 i z and  z <j 


The  GA-resolution  rule  can  now  be  applied  between  goal  8 and  the  equality  assertion  3, 
u * u.  The  unifying  substitution  is 


0 « [ u «•  f;  r«-f] 


and  the  eliminated  subexpression  Is  i * i;  we  obtain 


9.0  it  and  i < j 


By  applying  GA-resolution  again,  against  assertion  6,  0 i i,  we  obtain 
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In  other  words,  wo  have  found  that  in  the  case  that  i < j,  the  output  0 will  satisfy  the 
specification  for  the  quotient  program. 

Let  us  return  our  attention  to  the  initial  goal  2, 


i m yj  * z and  0 i z and  z <). 


Recall  that  we  have  a second  transformation  rule 


(u+l)*u  =>  u>v  v 


for  the  multiplication  function.  Applying  this  rule  to  goal  2 yields 


1 1. 1 - y^j  + j + z and  0 $ z and  z < j yi+l 


where  y j is  a new  variable.  Here,  the  unifying  substitution  is 


0 = [y  -Ji  + 15  a -?|i  v -j  ]; 


applying  this  substitution  to  the  output  entry  z produced  the  new  output  y\  + 1 . 


The  transformation  rule 


u = v+ui  =>  u-v  ■ w 


applied  to  goal  1 1 yields 


1 2.  l-j  ■ y,  -j  + z and  0 s z and  z < j 3»i+ 1 


Goal  1 2 Is  a precise  Instance  of  the  initial  goal  2, 


i ■ yj  * z and  0 s z and  i *.), 

obtained  by  replacing  the  Input  l by  »-J.  (Again,  the  replacement  of  the  dummy  variable  y 
by  >|  is  not  significant.)  Therefore,  the  following  induction  hypothesis  is  formed: 
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13.  ug)  <(i,  J) 

then  if  0 i u,  and  0 < u2 

then  u,  - u2)*u2  + A(«|,  u2)  and 

0 s A(u,,  u2)  and  A(U|,  u2)  < u2 


Here,  A is  a Skolem  function  corresponding  to  the  variable  z,  and  < is  an  arbitrary  well- 
founded  ordering. 


By  applying  GA-resolution  between  goal  1 2 and  the  induction  hypothesis,  we  obtain  the 
goal 


and  the  eliminated  subexpression  is 

i-j  - dittl-j,  })•)  + h(i-j,  j)  and  0 s h(i-j,  J)  and  h(i-j,  j ) < J. 

Note  that  the  substitution  to  the  variable  jij  has  caused  the  output  entry  + | to  be 
changed  to  div(i-J,  J)+ 1.  The  use  of  the  induction  hypothesis  has  introduced  the  recursive 
call  div(i-J,  j)  into  the  output. 


Goal  1 4 reduces  to 


A new  goal  is  produced: 


Note  that  the  conditions  of  the  transformation  rule  caused  new  conjuncts  to  be  added  to 
the  goal. 

By  application  of  algebraic  and  logical  transformation  rules,  and  GA-resolution  with  the 
assertion  6,  0 £ l,  and  assertion  6,  0 < j,  goal  16  is  reduced  to 


In  other  words,  we  have  learned  that  in  tho  case  that  J £ i,  the  output  div(i-j,j)+ 1 satisfies 
the  specification  of  the  div  program.  On  the  other  hand,  in  deriving  goal  10  we  learned 
that  in  the  case  that  i <J,  0 is  a satisfactory  output.  Assuming  we  have  the  assertion  4 

u £ v or  v < u, 
we  con  obtain  the  goal 


by  GA-resolution. 
The  final  goal 


can  then  be  obtained  by  GG-resolution  between  goals  10  and  18.  The  conditional 
expression  has  been  formed  because  both  goals  have  a corresponding  output  entry. 
Because  we  have  developed  the  goal  true  and  a corresponding  primitive  output  entry,  the 
derivation  is  complete.  The  final  program 


tfi<J 

then  0 

else  div{i-J,  j)+ 1 


10.  true 


div(i-j,  Jh  1 


1 6.  i-j  < i and  0 < i-j  and  0 s i and 
0 £ i-j  and  0 < j 


1 8.  not(i  < j ) 


div(i-),  j)+ 1 


divii-j,  j)+ 1 


*y-  lyi 1 t 


MMMWMNMMHMi 


<■  ifi<j 
then  0 

else  (tiv{i-j,  j)+ 1 

Is  obtained  directly  from  the  final  output  entry. 

Note  that  the  came  proof  could  be  used  to  derive  a remainder  program  as  well  as  a 
quotient  program.  The  specification  of  the  remainder  program 

rem(i,  j)  <■  find  z such  that 
for  some  y, 

i - yj  + z and  0 s z and  z < j 
where  0 s i and  i < J 

yields  the  same  initial  assertion  and  goal  as  the  quotient  program,  except  that  the  initial 
output  entry  is  z instead  of  y.  The  succeeding  output  entries  are  changed  accordingly. 
The  final  remainder  program  is  then 

rem(i,  J)  <■  if  i < j 
then  i 

else  rem(i-j,  j ). 

We  used  steps  from  the  derivation  of  this  program  to  Illustrate  the  formation  of  recursive 
calls  in  the  section  on  mathematical  induction. 


I 
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ANOTHER  COMPLETE  EXAMPLE:  Finding  the  Last  Element  of  a List 

In  this  example,  we  apply  the  same  techniques  to  derive  a list-processing  program.  Our 
discussion  here  will  be  a bit  more  brisk  than  in  the  preceding  section. 

Our  task  is  to  construct  a program  last(l)  to  find  the  last  element  of  a nonempty  list  /. 
Our  specification  is 

last(l)  <■  find  z such  that 

for  some  y,  l = y <>[z] 
iv here  / » []. 

Recall  that  uov  is  the  result  of  appending  two  lists  u and  v,  [w]  is  the  list  whose  sole 
element  is  w,  and  []  denotes  the  empty  list.  Again,  we  omit  type  conditions,  such  as 
lslist{!),  from  our  discussion. 

Our  initial  sequent  is 


assertions 

goals 

output 

1./  - [] 

ro 

■ 

ve 

A 

V 

N 

z 

Let  us  assume  that  our  subject  knowledge  Includes  the  assertion 

3.  u - u 

and  the  transformation  rules 
[]<>u  =*  u 
(U’V)otV  ■»  U’(VOtv) 

tv  ■ u-v  «♦  tv  0 []  and  head(tv)  = u and  taU(w)  ■ o 
[«]  ^ u-[] 

talliu)  <i  u ■*  true  if  u « []. 
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The  first  two  rules  constitute  the  definition  of  the  append  function  <>;  the  third  expresses 
the  uniqueness  of  the  decomposition  of  a list  Into  a head  and  a tail;  the  fourth  provides  the 
meaning  of  the  abbreviation  [u];  and  the  final  rule  defines  a well-founded  ordering  <L  over 
the  lists. 

The  first  transformation  rule 
[]ou  =*  u 

can  be  applied  to  the  Initial  goal  2, 
l = )i<>[z]i 

the  unifying  substitution  is 

0 *[*-[]!  «-[*]] 


and  the  resulting  goal  is 

I 


4. 1 - [z] 

z 

Applying  the  two  rules 

[u]  u*[] 

S 

and 

I 

w * U‘V  ui  k [j  and  htad(iu ) « u and  tall(w)  • v 

yields 

. 

6 .1  it  []  and  head(t)  - z 
and  tall{l ) - [] 

z 

Applying  GA-resolution  between  goal  6 and  assertion  1 , / * [],  produces  the  goal 

1 

- - 

6.  htad(l)  * z and  tail{l ) - [] 

z 

i 


l 


' 
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Applying  GA-resolution  again.,  between  goal  6 and  assertion  3,  u = u,  produces  the  goal 


7.  tail(l)  - [] 


htadd) 


Here,  the  unifying  substitution  is 

6 * [ z •-  htadd) ; u *>  htadd)  ] 

and  the  eliminated  subexpression  is  htadd)  = htadd).  Note  that  the  substitution  has 
caused  the  output  entry  z to  be  replaced  by  htadd).  We  have  learned  that  in  the  case 
where  taild)  is  empty  the  output  htadd)  satisfies  the  specification  for  last. 

Returning  to  the  Initial  goal  2, 
l = ?<>[z], 

we  can  apply  the  second  transformation  rule 
(u-v)ow  «=*■  a«(»<>w) 

to  the  subexpression  ?<>[z].  The  unifying  substitution  is 
0 ■ [ u -y,;  v ->2i  w - [z];  y ^ ] 
and  the  resulting  goal  is 


8.  / • z 


Applying  the  transformation  rule 

ui  ■ U‘v  «*•  w « []  and  htad(ui)  * u and  tall(u)  ■ v 

yields 


0.  / «•  []  and  htad(l)  - ?i  and  fai/(/)  - >2<>[z]  x 


37 


r 

it ' 

s{ 

L Next,  applying  GA-resolution  between  goal  9 and  assertion  1,  / « [],  and  then  between  the 

resulting  goaf  and  assertion  we  obtain 


Note  that  goal  10  Is  a precise  instance  of  our  initial  goal  2,  / = y<>[z],  obtained  by 
replacing  l by  tail(l );  therefore,  the  following  induction  hypothesis  is  formed: 


» 


Here,  < is  on  arbitrary  well-founded  ordering  and  g is  a Skolem  function  corresponding  to 
the  variable  y. 

We  can  now  apply  GA-resolution  between  goal  10  and  the  induction  hypothesis, 
assertion  1 1 . The  unifying  substitution  is 

6 * [ u ♦-  tail(l)\  y2  «-  g(tail(l))-,  z - last(tail{l ))  ] 

and  the  eliminated  subexpression  is 

tail(l)  * g(tall{l ))  <>  [last(tail(l))] ; 

we  obtain 


which  reduces  to 
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Note  that  the  unifying  substitution  caused  the  introduction  of  the  recursive  call  last(taiHl)) 
in  the  output  entry. 

The  rule 

tail(u)  <L  u =>  true  if  u * [] 

suggests  taking  the  well-founded  ordering  < to  be  <L;  we  derive 


1 4.  / * []  and  tail(l)  + [] 

last(tailU)) 

which  reduces  to 

1 6.  tail(l)  0 [] 

last(tail(l)) 

after  GA-resoluion  with  assertion  1,  / * []. 

We  have  deduced  that  In  the  case  where  tail(l)  0 [],  the  output  last{tai!(l))  satisfies  the 
specification;  on  the  other  hand,  from  goal  7 we  know  that  in  the  cose  where  tail(l)  » [], 
head(l)  is  a satisfactory  output.  Combining  these  two  goals  by  GG-resolution,  we  obtain 


1 6.  true 

if  tail(l)  - [] 
then  hcad(l) 

else  last(tail(l)) 

Because  we  have  derived  the  goal  true  with  a corresponding  primitive  output  entry,  our 
derivation  Is  complete.  The  final  program,  extracted  from  the  final  output  entry,  is 

last(l)  <m  if  tail(l)  « [] 
then  head(l ) 
else  last(tail(l)). 

Note  that  the  same  proof  could  be  used  to  derive  a program  front(l)  to  remove  the  last 
element  from  a nonempty  list  /.  The  specification  for  front  Is 

front(l)  <■  find  y such  that 

for  some  x,  l ■ y«[i] 
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where  / * []. 

This  specification  yields  the  same  initial  assertion  and  goal  as  the  last  program,  except 
that  the  initial  output  entry  is  y instead  of  z.  The  succeeding  output  entries  are  changed 
accordingly,  and  the  final  program  derived  is 

front {l)  <■  iftailU)  * [] 
then  [] 

else  head(l)‘front{tail{l)). 
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APPLICATION  TO  PROGRAM  TRANSFORMATION 

Our  program  synthesis  techniques  can  be  applied  as  well  to  the  transformation  of 
programs.  In  this  application,  we  are  given  a clear  and  concise  program  for  a certain  task, 
which  may  be  inefficient;  we  derive  a more  efficient  equivalent  program,  which  may  be 
neither  clear  nor  concise  (see  Burstall  and  Darlington  [1977]). 

To  transform  a given  program,  we  regard  the  program  itself  as  the  specification  of  a 
new  program.  For  example,  suppose  we  are  given  the  program 

rev(l)  <■  if  l - [] 
then  [] 

else  rev(tail(l))  <>  [head(D] 
where  islist(l) 

for  reversing  the  order  of  the  elements  of  a list  /.  This  program  is  inefficient,  for  it 
requires  many  recursive  calls  to  rev  and  to  the  append  program  <>.  The  specification  for 
the  transformed  program  revnew(l)  Is  then 

revnewU ) <■  find  z such  that  z - rtv(l) 
where  islist(l). 

The  initial  sequent  is  thus 


assertions 

goals 

output 

1 . isli st{l) 

2.  z - rev{l ) 

z 

We  admit  the  new  transformation  rules 
rev(u)  ■>  []  if  u - [] 
and 

rev(u ) -a  rev(tail(u ))  <>  [head(u))  if  u * []; 
these  rules  are  obtained  directly  from  the  given  program. 


In  such  a derivation,  the  given  program  rev  la  not  regarded  as  a primitive  construct  of 
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the  target  language.  For  efficiency  purposes,  we  may  also  choose  to  regard  the  append 
function  <>  as  nonprimitive. 

Applying  our  aynthesis  techniques,  we  can  obtain  the  following  new  program  for 
reversing  a list: 

rtvntwil ) <■  revnew2(l.  []), 

where 

rtvntw2{l,  m)  <■  if  l - [] 
then  m 

tlst  revnew2(tail(l),  htad(l)-m). 

The  derivation  involves  the  formation  of  auxiliary  procedures  and  the  use  of  generalization, 
which  we  do  not  discuss  in  this  paper. 

The  new  program  Is  more  efficient  than  the  given  program  rev(l)\  it  is  essentially 
iterative  and  does  not  employ  the  expensive  <>  operation.  In  general,  however,  unless  we 
introduce  additional  efficiency  criteria,  we  cannot  ensure  that  the  program  we  obtain  is 
more  efficient  than  the  given  program. 
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COMPARISON  WITH  THE  PURE  TRANSFORMATION-RULE  APPROACH 

Recent  work  (e.g.,  Manna  and  Waldinger  [1977],  as  well  os  Burstoll  and  Darlington 
[1977])  does  not  regard  program  synthesis  as  a theorem-proving  task,  but  instead  adopts 
the  basic  approach  of  applying  transformation  rules  directly  to  the  given  specification. 
What  advantage  do  we  obtain  by  shifting  to  a theorem-proving  approach,  when  that 
approach  has  already  been  attempted  and  abandoned? 

The  structure  we  outline  here  is  considerably  simpler  than,  say,  our  implemented 
synthesis  system  DEDALUS.  That  system  required  special  mechanisms  for  the  formation  of 
conditional  expressions  and  recursive  calls,  and  for  the  satisfaction  of  "conjunctive  goals" 
(of  form  " find  z such  that  Rt(z)  and  Rg(z)").  It  relied  on  a backtracking  control  structure, 
that  required  it  to  explore  one  goal  completely  before  attention  could  be  passed  to 
another  goal.  In  the  present  system  these  constructs  are  handled  as  a natural  outgrowth 
of  the  theorem-proving  process.  In  addition,  the  foundation  is  laid  for  the  application  of 
more  sophisticated  search  strategies,  in  which  attention  is  passed  back  and  forth  freely 
between  several  competing  assertions  and  goals. 

Furthermore,  the  task  of  program  synthesis  always  involves  a theorem-proving 
component,  which  is  needed,  say,  to  prove  the  termination  of  the  program  being 
constructed,  or  to  establish  the  input  condition  for  recursive  calls.  (The  Burstall-Darlington 
system  is  interactive  and  relies  on  the  user  to  prove  these  theorems;  DEDALUS 
incorporates  a separate  theorem  prover).  If  we  retain  the  artificial  distinction  between 
program  synthesis  and  theorem  proving,  each  component  must  duplicate  the  efforts  of  the 
other.  The  mechanism  for  forming  recursive  calls  will  be  separate  from  the  induction 
principle;  the  facility  for  handling  specifications  of  the  form 

find  z such  that  Rt{ z)  and  Rg{z) 


will  be  distinct  from  the  facility  for  proving  theorems  of  form 
for  some  z,  R,{z)  and  Rg(z); 


and  so  forth.  By  adopting  a theorem-proving  approach,  we  can  unify  these  two 
components. 

The  two  complete  examples  In  this  paper  have  been  chosen  to  illustrate  the 
advantages  of  the  new  approach;  both  were  beyond  the  capabilities  of  the  DEDALUS 
system. 
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Theorem  proving  was  abandoned  as  an  approach  to  program  synthesis  when  the 
development  of  sufficiently  powerful  automatic  theorem  provers  appeared  to  flounder. 
However,  theorem  provers  have  been  exhibiting  a steady  Increase  in  their  effectiveness, 
and  program  synthesis  is  one  of  the  most  natural  applications  of  these  systems. 
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